--- Begin Message ---
Package: openssh-server
Version: 1:8.2p1-3
Severity: wishlist
Tags: upstream wontfix
Feb 27 16:00:07 tglase-nb sshd[11219]: Unable to negotiate with 192.168.178.24 port 42930: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth]
This is vx.connectbot, a well-known Android SSH client.
To restore connectivity put…
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha1
… into /etc/ssh/sshd_config and restart sshd. Note that this
will lower the security level of your server and probably not
work any more at some point in the future.
-- System Information:
Debian Release: bullseye/sid
APT prefers buildd-unstable
APT policy: (500, 'buildd-unstable'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.4.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8)
Shell: /bin/sh linked to /bin/lksh
Init: sysvinit (via /sbin/init)
Versions of packages openssh-server depends on:
ii adduser 3.118
ii debconf [debconf-2.0] 1.5.73
ii dpkg 1.19.7
ii libaudit1 1:2.8.5-2+b1
ii libc6 2.29-10
ii libcom-err2 1.45.5-2
ii libcrypt1 1:4.4.10-10
ii libelogind0 [libsystemd0] 241.3-1+debian3
ii libgssapi-krb5-2 1.17-6
ii libkrb5-3 1.17-6
ii libpam-modules 1.3.1-5
ii libpam-runtime 1.3.1-5
ii libpam0g 1.3.1-5
ii libselinux1 3.0-1+b1
ii libssl1.1 1.1.1d-2
ii libwrap0 7.6.q-30
ii lsb-base 11.1.0
ii openssh-client 1:8.2p1-3
ii openssh-sftp-server 1:8.2p1-3
ii procps 2:3.3.16-2
ii runit-helper 2.8.14
ii ucf 3.0038+nmu1
ii zlib1g 1:1.2.11.dfsg-2
Versions of packages openssh-server recommends:
ii libpam-elogind [logind] 241.3-1+debian3
pn ncurses-term <none>
ii xauth 1:1.0.10-1
Versions of packages openssh-server suggests:
ii kwalletcli [ssh-askpass] 3.02-1
ii molly-guard 0.7.2
pn monkeysphere <none>
pn ufw <none>
-- Configuration Files:
/etc/ssh/moduli changed [not included]
-- debconf information:
openssh-server/permit-root-login: true
* ssh/use_old_init_script: true
openssh-server/password-authentication: true
ssh/disable_cr_auth: false
ssh/encrypted_host_key_but_no_keygen:
ssh/vulnerable_host_keys:
--- End Message ---
--- Begin Message ---
On Thu, Feb 27, 2020 at 04:05:44PM +0100, Thorsten Glaser wrote:
> Package: openssh-server
> Version: 1:8.2p1-3
> Severity: wishlist
> Tags: upstream wontfix
>
> Feb 27 16:00:07 tglase-nb sshd[11219]: Unable to negotiate with 192.168.178.24 port 42930: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth]
>
> This is vx.connectbot, a well-known Android SSH client.
>
> To restore connectivity put…
>
> KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha1
>
> … into /etc/ssh/sshd_config and restart sshd. Note that this
> will lower the security level of your server and probably not
> work any more at some point in the future.
Indeed. The change to the default key exchange proposal is already
documented in NEWS.Debian, so closing this bug. I'm not going to keep
wontfix bugs open as documentation - there's enough in the bug list
already!
Has somebody already filed a bug against vx.connectbot?
--
Colin Watson [cjwatson@debian.org]
--- End Message ---